this post was submitted on 09 Sep 2025
19 points (95.2% liked)

Linux

58266 readers
661 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 6 years ago
MODERATORS
AgreeableLandscape@lemmy.ml
nooter692@lemmy.ml
MarcellusDrum@lemmy.ml
cypherpunks@lemmy.ml
cyclohexane@lemmy.ml
d3Xt3r@lemmy.nz
19
UFW compatibility issues with my VPN (lemmy.dbzer0.com)
submitted 1 week ago by aprehendedmerlin@lemmy.dbzer0.com to c/linux@lemmy.ml
8 comments fedilink hide all child comments
 

Hi all—as title suggests I'm experiencing a compatibility issue between UFW and my vpn (Windscribe if it matters). My UFW defaults are set to deny incoming, allow outgoing, and routed disabled, with no exception rules configured. When I enable Windscribe (I use OpenVPN udp on port 80 if that matters) while UFW is active, Windscribe reports a network configuration error and requests sending debug logs; ignoring the error still allows the VPN to function, but I observe IPv6 and DNS leaks. Disabling UFW removes the error and the leaks. What UFW configuration is causing this behavior, and which specific rules should I add to prevent IPv6 and DNS leaks while keeping UFW enabled?

you are viewing a single comment's thread
view the rest of the comments
[–] aprehendedmerlin@lemmy.dbzer0.com 1 points 1 week ago

also here is the output of iptables -L again with markdown:

Chain INPUT (policy DROP) target prot opt source destination
windscribe_input all -- anywhere anywhere /* Windscribe client rule / ufw-before-logging-input all -- anywhere anywhere
ufw-before-input all -- anywhere anywhere
ufw-after-input all -- anywhere anywhere
ufw-after-logging-input all -- anywhere anywhere
ufw-reject-input all -- anywhere anywhere
ufw-track-input all -- anywhere anywhere
windscribe_block all -- anywhere anywhere / Windscribe client rule */
Chain FORWARD (policy DROP) target prot opt source destination
ufw-before-logging-forward all -- anywhere anywhere
ufw-before-forward all -- anywhere anywhere
ufw-after-forward all -- anywhere anywhere
ufw-after-logging-forward all -- anywhere anywhere
ufw-reject-forward all -- anywhere anywhere
ufw-track-forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT) target prot opt source destination
windscribe_output all -- anywhere anywhere /* Windscribe client rule / windscribe_dnsleaks all -- anywhere anywhere / Windscribe client dns leak protection / ufw-before-logging-output all -- anywhere anywhere
ufw-before-output all -- anywhere anywhere
ufw-after-output all -- anywhere anywhere
ufw-after-logging-output all -- anywhere anywhere
ufw-reject-output all -- anywhere anywhere
ufw-track-output all -- anywhere anywhere
windscribe_block all -- anywhere anywhere / Windscribe client rule */
Chain ufw-after-forward (1 references) target prot opt source destination
Chain ufw-after-input (1 references) target prot opt source destination
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootps ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootpc ufw-skip-to-policy-input all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references) target prot opt source destination
Chain ufw-after-logging-input (1 references) target prot opt source destination
Chain ufw-after-logging-output (1 references) target prot opt source destination
Chain ufw-after-output (1 references) target prot opt source destination
Chain ufw-before-forward (1 references) target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp parameter-problem ACCEPT icmp -- anywhere anywhere icmp echo-request ufw-user-forward all -- anywhere anywhere
Chain ufw-before-input (1 references) target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ufw-logging-deny all -- anywhere anywhere ctstate INVALID DROP all -- anywhere anywhere ctstate INVALID ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp parameter-problem ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc ufw-not-local all -- anywhere anywhere
ACCEPT udp -- anywhere mdns.mcast.net udp dpt:mdns ACCEPT udp -- anywhere 239.255.255.250 udp dpt:1900 ufw-user-input all -- anywhere anywhere
Chain ufw-before-logging-forward (1 references) target prot opt source destination
Chain ufw-before-logging-input (1 references) target prot opt source destination
Chain ufw-before-logging-output (1 references) target prot opt source destination
Chain ufw-before-output (1 references) target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ufw-user-output all -- anywhere anywhere
Chain ufw-logging-allow (0 references) target prot opt source destination
Chain ufw-logging-deny (2 references) target prot opt source destination
Chain ufw-not-local (1 references) target prot opt source destination
RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10 DROP all -- anywhere anywhere
Chain ufw-reject-forward (1 references) target prot opt source destination
Chain ufw-reject-input (1 references) target prot opt source destination
Chain ufw-reject-output (1 references) target prot opt source destination
Chain ufw-skip-to-policy-forward (0 references) target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-input (7 references) target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-output (0 references) target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-track-forward (1 references) target prot opt source destination
Chain ufw-track-input (1 references) target prot opt source destination
Chain ufw-track-output (1 references) target prot opt source destination
ACCEPT tcp -- anywhere anywhere ctstate NEW ACCEPT udp -- anywhere anywhere ctstate NEW
Chain ufw-user-forward (1 references) target prot opt source destination
Chain ufw-user-input (1 references) target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:22000 /* 'dapp_syncthing' / ACCEPT udp -- anywhere anywhere udp dpt:22000 / 'dapp_syncthing' / ACCEPT udp -- anywhere anywhere udp dpt:21027 / 'dapp_syncthing' */ ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:10387 ACCEPT udp -- anywhere anywhere udp dpt:10387
Chain ufw-user-limit (0 references) target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references) target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-user-logging-forward (0 references) target prot opt source destination
RETURN all -- anywhere anywhere
Chain ufw-user-logging-input (0 references) target prot opt source destination
RETURN all -- anywhere anywhere
Chain ufw-user-logging-output (0 references) target prot opt source destination
RETURN all -- anywhere anywhere
Chain ufw-user-output (1 references) target prot opt source destination
Chain windscribe_block (2 references) target prot opt source destination
DROP all -- anywhere anywhere /* Windscribe client rule */
Chain windscribe_dnsleaks (1 references) target prot opt source destination
DROP udp -- anywhere dns9.quad9.net udp dpt:domain /* Windscribe client dns leak protection / DROP tcp -- anywhere dns9.quad9.net tcp dpt:domain / Windscribe client dns leak protection */
Chain windscribe_input (1 references) target prot opt source destination
ACCEPT all -- anywhere anywhere /* Windscribe client rule / ACCEPT udp -- anywhere anywhere udp spts:bootps:bootpc dpts:bootps:bootpc / Windscribe client rule / ACCEPT all -- GTS anywhere / Windscribe client rule / DROP all -- 192.168.0.0/16 anywhere / Windscribe client rule / DROP all -- 172.16.0.0/12 anywhere / Windscribe client rule / DROP all -- 169.254.0.0/16 anywhere / Windscribe client rule / ACCEPT all -- 10.255.255.0/24 anywhere / Windscribe client rule / DROP all -- 10.0.0.0/8 anywhere / Windscribe client rule / DROP all -- base-address.mcast.net/4 anywhere / Windscribe client rule / ACCEPT all -- anywhere anywhere / Windscribe client rule / ACCEPT all -- 146.70.203.19 anywhere / Windscribe client rule / ACCEPT all -- localhost anywhere / Windscribe client rule / ACCEPT all -- localhost/8 anywhere / Windscribe client rule / ACCEPT all -- 192.168.0.0/16 anywhere / Windscribe client rule / ACCEPT all -- 172.16.0.0/12 anywhere / Windscribe client rule / ACCEPT all -- 169.254.0.0/16 anywhere / Windscribe client rule / DROP all -- 10.255.255.0/24 anywhere / Windscribe client rule / ACCEPT all -- 10.0.0.0/8 anywhere / Windscribe client rule / ACCEPT all -- base-address.mcast.net/4 anywhere / Windscribe client rule */
Chain windscribe_output (1 references) target prot opt source destination
ACCEPT all -- anywhere anywhere /* Windscribe client rule / ACCEPT udp -- anywhere anywhere udp spts:bootps:bootpc dpts:bootps:bootpc / Windscribe client rule / ACCEPT all -- anywhere GTS / Windscribe client rule / DROP all -- anywhere 192.168.0.0/16 / Windscribe client rule / DROP all -- anywhere 172.16.0.0/12 / Windscribe client rule / DROP all -- anywhere 169.254.0.0/16 / Windscribe client rule / ACCEPT all -- anywhere 10.255.255.0/24 / Windscribe client rule / DROP all -- anywhere 10.0.0.0/8 / Windscribe client rule / DROP all -- anywhere base-address.mcast.net/4 / Windscribe client rule / ACCEPT all -- anywhere anywhere / Windscribe client rule / ACCEPT all -- anywhere 146.70.203.19 owner GID match root / Windscribe client rule / ACCEPT all -- anywhere 146.70.203.19 owner GID match windscribe / Windscribe client rule / ACCEPT all -- anywhere 146.70.203.19 ! owner UID match 0-4294967294 / Windscribe client rule / ACCEPT all -- anywhere 146.70.203.19 mark match 0xca6c / Windscribe client rule / ACCEPT all -- anywhere localhost / Windscribe client rule / ACCEPT all -- anywhere localhost/8 / Windscribe client rule / ACCEPT all -- anywhere 192.168.0.0/16 / Windscribe client rule / ACCEPT all -- anywhere 172.16.0.0/12 / Windscribe client rule / ACCEPT all -- anywhere 169.254.0.0/16 / Windscribe client rule / DROP all -- anywhere 10.255.255.0/24 / Windscribe client rule / ACCEPT all -- anywhere 10.0.0.0/8 / Windscribe client rule / ACCEPT all -- anywhere base-address.mcast.net/4 / Windscribe client rule */